CCNA

Models and Layers summary OSI model and TCP/IP model are both used to standardized the networking model; TCP/IP is the most popular model today. TCP/IP protocols are identied by RFC numbers, and each of the protocol belong to one of the 4 layers of TCP/IP model:
TCP/IP Layer Application Function OSI equivalent Devices

Provide network service to application software Use TCP or UDP to process the delivery of data, error recovery, data segmentation, Denes logical addressing and perform data routing Denes protocols and hardwares required to deliver data over the physical network; arbitration, and error discovery

Application, Presentation, Session Transport Network

Transport

Internet

Network Data Link (MAC include logical topology, LLC show L3 protocol), Physical

Routers L2: switch, bridge, AP, DSL modem and cable modem L1: hub, repeater, CSU/DSU

Network Access

Arbitration is the ability to determine when to send data out the physical media, L2 function. Same Layer interaction happens between 2 computers using same protocols. Adjacent Layer interaction happens with a computer passing data to different layers. Many protocols tend to be produced to t for purpose of a single layer only, this is called binding (to a layer). The upper layers (5, 6, and 7) of OSI model occurs in the host. Network management stations (NMSs), servers, hosts, and gateways operate at all 7 layers. Cisco 3 Layer Model: 1) Access Layer: switches and routers, segmentation, group access, and static routing 2) Distribution Layer, time-sensitive manipulation: routing, ltering, WAN access, broadcast, multicast, media translations, security. 3) Core Layer, speed: high speed access such as FDDI and ATM. Physical vs. Logical topology Physical Logical Device summary Bus Bus Star Bus/Ring Ring Ring

No. Name 1 SYST (system)

Description Implies the overall system status; blinking green can mean rebooting, power outage, etc. Amber when hardware fails.

RPS Suggests the status of the extra (Redunda (redundant) power supply nt Power Supply) STAT (Status) DUPLX (duplex) SPEED If on (green), implies that each port LED implies that ports status If on (green), each port LED implies that ports duplex (on/ green is full; off means half) If on (green), each port LED implies the speed of that port, as follows: off means 10 Mbps, solid green means 100 Mbps, and flashing green means 1 Gbps.

3 4

MAC address = Token Ring address = FDDI address = Ethernet address = physical address = BIA address

Hub is a single logical bus that, if connected, share all the bandwidth with other devices; use CSMA/CD; always half7 Port Has different meanings, depending duplex. on the port mode as toggled using Switch create a collision domain for each the mode button interface (microsegmentation), if only one device is plugged into an interface, no collision will ever occur. Wireless AP share its collision domain with all devices connected to it, use CSMA/CA. Connect to switch via straight-through cable. Router create a single collision and broadcast domain for each interface. Router doesnt forward broad/multicasts by default
Feature Greater cabling distances are allowed Creates multiple collision domains Increases bandwidth Creates multiple broadcast domains WAP No No No No Hub Yes No No No Switch Yes Yes Yes No Router Yes Yes Yes Yes

MTU is the max size of a PDU, different network encapsulation have different MTU. If a bigger PDU needs to be send, the router will segment the PDU. MTU can be manually set by mtu' (all L3 protocol) and ip mtu' (MTU for IP) command. When both are set, ip mtu' takes precedence. If mtu' is set after ip mtu', ip mtu' is reset to match mtu'.

SAN connect data storage devices using special channels such as Fiber channel or SCSI. It can be congured as centralized or distributed. Network attached storage (NAS) interconnects hosts and storage devices using a device such as switch or hub. CCNA Layer 1 Networking device create an electrical circuit using each wire pair, and vary the signal as dened by the encoding scheme, to send bits over the wire.

When transmitting data over a hub: 1)NIC from PC1 send a frame out, which at the same time, loop onto its receiving pair wire. 2)Hub connected to the NIC receives the frame and repeat it out on the receiving pair of all devices connected to the hub (except the interface which the frame was received). Hubs can be used for IPS/IDS monitoring as trafc is broadcasted. Straight-through both ends T568A or T568B, crossover one end T568A and another T568B. Single mode ber use laser while multimode ber use LED. Rollover cable is used to congure router while crossover for connectivity. ISDN operates at Layer 1. CCNA Layer 2 Latency is the time measured from when a frame enters a port to the time it exist the port. Switches and bridges dont lter multicast/broadcast packets; they perform transparent bridging Cisco offer Catalyst (business) and Linksys (SOHO) switches that function right out of the box. Switches support rate adaption, meaning it can work with different speed. Switches have CON (disable logging in by no logging console) and AUX port; they do not have interface 0/0. Switches have CDP on by default. Layer 2 denes how data is formatted for transmission When a new IOS is loaded, or you have changed your cong-register, you need to reload the switch When an ARP request is replied (since its a broadcast), everyone know and record the MAC address. When conguring ip address dhcp on VLAN 1 (or the switch), dont congure ip defaultgateway command. Forwarding a frame = sending it Filtering a frame = NOT sending it

The rst Ethernet was developed by DEC, Intel, and Xerox, and called DIX Ethernet. This technology is later standardized by IEEE and revised. Between Layer 2 header and Layer 3 header, the device may add LLC or SNAP header for more information. Note that L2 is the only layer with a header and trailer.

Whenever a frame arrives, the switch examines whether the source MAC address is already present. If not, it is ooded out until a host responds, and associate that host (VLAN present and interface) with the source MAC address to be a new entry in CAM table. Every entry has an inactivity timer, which increments as time pass by. If a frame intended for a particular entry is received, the timer reset to 0 again. However, when memory runs out, the switch can remove entries with largest inactivity value. A switch cant forward a frame back to where the frame came from (even if D&S MAC address differ), but if the frame is for different VLAN but the same interface, the switch send the frame to router or L3 switch for inter-VLAN routing, then come back to switch to be forwarded to different VLAN. A LAN consist of all the devices in the same broadcast domain.
VLAN

VLAN is used to allow 1) exible grouping (no broadcast information leak), 2) reduce trafc (less frames -> less overhead), and 3) establish an STP for each VLAN to prevent switching loop. Same VLAN <=> same broadcast domain <=> same subnet Default VLAN Management VLAN (telnet, SSH) Native VLAN (802.1Q untagged) By default, a switch send out all information about every frame to other switches. All ports are allocated to VLAN 1. However, VLAN information can be tagged using trunking protocol to identify itself. This way, unnecessary trafc are avoided. When using trunking protocols, the ports at which switches connect MUST form a trunk. On Cisco devices, a trunk can be established by DTP or by manual conguration. DTP allow a port to become in one of 4 states: Access (No trunk), Dynamic Desirable, Dynamic Auto, and Trunk. These values are manually set with switchport mode interface

command followed by one of values above. When using DTP (DTP is NOT on by default), the default state of a port is Dynamic Desirable; however, if you didnt congure DTP, the default state of a port is Access. Access Access D Auto D Desirable Trunk Access Access Access Access D Auto Access Access Trunk Trunk D Desirable Access Trunk Trunk Trunk Trunk Trunk Trunk Trunk Access

When a trunk is successfully negotiated, both ports go down, then up. ISL (Cisco proprietary) Encapsulate another header (26 byte) and trailer (4 byte) around current data; If frame is already at MTU, exceed by 30 bytes -> cant be handled by non-ISL Sw Header include VLAN ID, S&D switch MAC address 802.1Q (industry standard) Insert 4-byte fragment into header; exceed MTU by 4 bytes, can be handled by non-802.1Q switches Header include Type (2 byte), priority (3 bits), ag (1 bit), and VLAN ID (12 bits); FCS trailer is recalculated

Typically, 4096 VLANs are supported on a switch, with VLAN 0 and VLAN 4095 reserved. VLAN 1 - 1005 are normal VLANs, while VLAN 1006 - 4094 are reserved. The number is known as VLAN ID, or VID. A VLAN can be designated a name by name command. If VLAN 0005 has name Five, its identier will be Five0005; this is not VID.

VLAN can be routed using Router-on-a-stick or L3 switch routing. In Router-on-a-stick, a physical interface is separated into multiple different sub-interfaces by interface + type + number.sub-number (e.g 0/0.2); speed of the VLANs are evenly distributed between them. Conguration on router require encapsulation + isl/dot1q + VLAN_ID. (like a WAN encapsulation) However, when congure the native VLAN, use 1) ip address + Router_IP_subaddress on the physical interface, or 2) encapsulation dot1q VLAN_ID native on the logical interface. Since the router port does not trunk, the switch port connected must have switchport mode trunk set. Older switch defaults to dynamic desirable, newer switch default to dynamic auto. Switch connect to hub via access ports
VTP

VLAN information can be distributed 1) fully static (typing in commands in every switch), 2) partial statically (using VTP), or 3) dynamically (with VMPS, distribute VLAN information based on MAC address).

VTP is a Cisco proprietary protocol used to 1) synchronize VLAN information in a network so all switches have the same VLAN conguration, 2) minimize trafc by VTP pruning. VTP has 3 versions: v1 doesnt send all necessary updates, v2 is used in switches with using IOS operating system, and v3 is used in switches using CatOS. All Cisco switches use VTP by default, and it cant be disabled. Switches can be one of 3 modes: client, server, and transparent. For these switches to communicate, they MUST be under the same administrative domain (AD); to achieve this, switches will use the same VTP domain name in vtp domain command. If vtp domain command is not congured, VTP domain of a switch will be null. Here are some difference between the different modes: Server Capability Client Transparent Change VLAN conguration locally; Support CLI conguration All VLAN (1 - 4094) Flash:vlan.dat RAM:running-cong Always 0 Change VLAN No conguration; follow conguration in an AD; servers conguration Support CLI conguration Normal VLAN (1 1005) Flash:vlan.dat Normal VLAN (1 1005) Flash:vlan.dat Increment by 1 for change

Use VLAN Conguration File

Revision Number Increment by 1 for change

For VTP to successfully operate, you need 1) trunk between switches (at the trunk port, of course), 2) matching VTP domain name (if one is congured), 3) matching VTP password (if one is congured). VTP updates VLAN information using 3 kinds of updates, these updates are only generated by VTP client/server: - Summary advertisement: contain revision number, VTP domain, and other information; updates every 5 minutes - Subset advertisement: contain VLAN database information for a specic revision number; this update follows summary advertisement if a topology change (a higher revision number) occur or advertisement request. - Advertisement request: request VTP information (summary + subset advertisement). This happens when 1) a switch is reset, 2) VTP domain name change (which reset revision number to 0), or 3) received a summary advertisement of higher revision number. NOTE: these messages have VTP headers (to identify themselves) and are send using 0100-0CCC-CCCC multicast.

When a switch and its adjacent switch have different domain names, updates will be received but not processed. To establish a link between such switches, both ports MUST be trunk.

A second function of VTP is VTP pruning, which blocks (temporarily) ports from receiving information that it does not have to process. For instance, if SW1 does not have VLAN 5, a message send to VLAN 5 devices are blocked. VLAN 1 is never pruned, pruning uses switchport trunk pruning vlan VID Any port that is trunk wont show up in the VLAN database show vlan An alternative to VTP pruning is the manual congured Allowed VLAN List, which can be altered by (cong-if)#switchport trunk allowed vlan [add/all/remove/except] [VLAN_ID]. By default, all VLANs are on the list. When adding a new switch, if the switch has a VTP conguration revision number higher than the current networks revision number, all VLAN information in the network will change to that of the switch. To prevent this, you can 1) set the switch to transparent mode, then to client/server mode (reset revision number), or 2) change the domain name, then change it back, and 3) erase vlan.dat by delete Flash:vlan.dat command. A VLAN may be blocked trafc due to: 1)Its not on Allowed VLAN list

2)VLAN doesnt exist, or is not active 3)VLAN is temporarily pruned by VTP 4)VLANs STP is not in a Forwarding State
STP, RSTP, PVST, and MST

STP behaves identically for switches and bridges. When using STP, you can prevent 1) broadcast storm, 2) MAC instability, 3) multiple frames. STP has block, listening, learning, and forwarding states; failed interfaces or admin down/down are in disabled state. Determine port roles based on Bridge ID, or BID (8 bytes) = priority (2 bytes) + MAC address (6 bytes). There are extended version of BID, which composed of priority (4 bit) + extension (usually VID) + MAC address (6 bytes). STP communicate with Hello BPDU, which contain 1) Root BID, 2) Last BID (of last switch passed through), 3) cost to root (100 for 10 Mbps, 19 for 100 Mbps, 4 for 1 Gbps, and 2 for 10 Gbps) and 4) value of each timer. Timers mentioned include - Hello timer, 2 seconds by default, send Hello BPDU - Max Ager, 10 * Hello timer, if no Hello BPDU heard within Max age timer, a blocked port transition to forwarding - Forward delay (15 seconds by default), transition from block to listening, or listening to learning. When a switch is rst introduced, it believes it is the Root Bridge and send BPDU to other switches. If a better BID is heard through Hello BPDU, this switch promote the switch with better BID to be the RB. The result is a network of switches with only one Root Bridge. In STP, only the Root Bridge send Hello BPDU. On non Root-Bridge, Root Port is the shortest path to the RB; it is elected based on cost > priority > interface identier. Other ports will be blocked or become Designated Port. STP converges slowly, Cisco has proprietary features to reduce convergence: 1)EtherChannel: if there are multiple physical link between 2 devices, if one link is down, another replace it. The link between the devices runs the total speed of all the links. 2)PortFast: if the connection is to a PC, router, or other non-switch devices, you can enable PortFast to immediately change the port from block to forward. 3)BPDU Guard works with PortFast. On links that are using PortFast, to ensure no STP will be involved, if any BPDU pass through, the port is shutdown for good. Another feature is Root Guard, if you want to keep the topology as it is now, you should enable Root Guard so switches with better BID will not become the Root Bridge. 4)BPDU lter will take a port out of PortFast and place it in STP operation. To enable it, use (cong-if)#spanning-tree bpdulter enable When working with VLAN, per VLAN Spanning Tree (PVST+) create an STP on every VLAN. It uses extended BID and every VLAN has a different priority.

IEEE 802.1w, or RSTP, improves on STP by converge in less than 10 seconds. It is compatible with STP and has disabled (blocked/listening in STP), learning (learning in STP), and forwarding (forwarding in STP). Port roles include RP, DP, backup (backup for link to the same collision domain, EtherChannel in STP) , and alternate (backup for root port). In RSTP, PortFast is automatically enabled. There are 3 types of links: link type PtP (switch - switch), link type shared (switch - hub), shared type (switch - PC). RSTP improves convergence for link type PtP and shared type. Each switch generate its own Hello BPDU, and topology change occurs immediately after it is detected, instead of reporting to Root Bridge and then take action. RSTP has Max ager = 3 * Hello timer. Agreement and proposal handshake: 1)Switch A broadcast its presence with BPDU, Switch B receives it and immediately block all other port except the port it decides to become DP (closest port to Switch A based on cost). Switch B then send the proposal to Switch As closest port. 2)The port on Switch A that receives the proposal analyze if the port can establish a link with Switch B (without causing loop). If the result is yes, agreement is send back, both ports begins forwarding to one another. If switch B decide that a loop may occur, no reply is send and the port on Switch A becomes blocked. An instance of RSTP is used for every VLAN, this is RPVST, or PRVST, this is Cisco proprietary. Industrial version is MST or MIST in IEEE 802.1s. An instance of RSTP is provided for every redundant path.
WLAN

WLAN is half-duplex like hub, and connect to switch using straight-through cable. Wireless device communicate using waves separated into different channels. The wider the channel, or frequency range, the fast data rate. Power of AP to send signal is measured in EIRP, while Signal-to-Noise (SNR) measures WLAN signal compared to the noise in the same space; higher SNR, better WLAN can successfully transfer data. To increase the power of AP (its range), you can buy an antenna or a new AP.

802.11a has an extension in 802.11h, which contain 2 new features: - DFS: monitor a devices operating range for any radar signal allowed to operate in portions of the 5GHz band as well as 802.11a before transmitting. If DFS discovers any radar signals, itll either abandon the occupied channel or mark it as unavailable to prevent interference from occurring on the WLAN. - TPC: You can set the client machines adapter and the access points transmit power to cover various size rangesa feature thats useful for many reasons. For one, setting the access points transmit power to 5mW reduces cell range, which works great if youve got a compact area with high-density usage. Stronger-signal -> faster data rate -> smaller coverage bigger coverage weaker signal -> slower data rate ->

If 2 or more WLAN devices send data at the same time using the same frequency, a collision occur. Data in WLAN use one of the following encoding:
Standard FHSS FHSS OFDM DSSS OFDM

Hop around all frequencies (calculated by algorithm) to avoid collision Use multiple non-overlapping channels Use channels of 82 MHz bandwidth in 2.402-2.483 GHz band 802.11a, 802.11g, 802.11n 802.11, 802.11b, 802.11g

WLAN uses CSMA/CA (also known as RTS/CTS) to avoid collision: 1) Listen to the medium (to check if available), if other are transmitting go to step 2, otherwise, go to step 3. 2) Set a random period of time to wait 3) Test again if the medium is cleared, send frame 4) Wait for acknowledgement (which should immediately be sent after frame is received). If no acknowledgment is received within a retransmission timer, resend using the steps above. Note: an acknowledgement is needed for every frame send. To install WLAN: 1)verify existing network by plugging a computer to the switch port (intended to connect the AP) and establish connectivity. For ESS roaming, APs should be placed in the same VLAN. 2)Install and congure wired and IP details. AP should be assigned to faster ports such as FastEthernet or GigabitEthernet. APs IP address is assigned just for management, its not needed for AP to function. 3)Congure APs WLAN such as SSID, channel, standard, transmit power, etc. Using mixed standard such as 802.11b with 802.11g slow down the network. 4)Install and congure 1 wireless client, and check connectivity. 5)If fail, check perform site survey and analyze signal loss. If successful, congure security. WPA and WPA2 can both be in either personal or enterprise mode. All wireless security protocols support PSK. Laptops is suited for wireless access. When a VLAN is disabled with no command, its ports lose connectivity.

All wireless clients must operate at the maximum speed available to all. CCNA Layer 3 Routing protocols decide how to reach the destination, while routed, or routable protocol delivers the packet. OSI has CLNS as L3 routed protocol, while TCP/IP use IP. Routing protocol performs 1) learn routes, 2) advertise routes, 3) decide on best route, 4) convergence. Routing table is a list of network layer address groupings (IP group subnets). Routers attempt to nd the best matching route (using a routing protocol). Longest match rule > administrative distance > route metric Administrative distance is locally signicant. A route/network of AD of 255 will never be placed into the routing table. Load balance can be seen in action from show ip route A.B.C.D -> trafc share count is 1. This means for every packet going through, this path will take one. A static route can be added as long as the interface is up/up, and ip route is congured. A connected route automatically shows up when the router interface is up/up. Default route has * designation, which can be created by - ip route (for next-hop router) - ip default-network (for network with ip routing enabled; propagated via routing protocols) - ip default-gateway for network with no ip routing enabled such as Layer 2 switch Secondary IP address allow another subnet of IP address to be allocated for the same interface if the rst subnet runs out; this is done by adding secondary keyword after IP address conguration. Time in a routing entry indicate how long since the route was included in last update, NOT when it was added. You cant include subnet mask with network command in RIP.
Feature Classless Supports VLSM Sends mask in update Distance vector Link-state Autosummarization Manual summarization Proprietary Routing updates using multicast Supports authentication Convergence Administrative distance RIP-1 No No No Yes No No No No No No Slow 120 RIP-2 Yes Yes Yes Yes No Yes Yes No Yes; 224.0.0.9 Yes Slow 120 EIGRP Yes Yes Yes No No Yes Yes Yes OSPF Yes Yes Yes No Yes No Yes No IS-IS Yes Yes Yes No Yes No Yes No IGRP No No No Yes No No No Yes No No Slow 100

Yes Yes; 224.0.0.10 224.0.0.5/6 Yes Very fast 90 (I) 170 Yes Fast 110 Yes Fast 115

Distance vector (DV) protocols work by advertising its entire routing table to connected neighbors so other routers know potential route to a destination; there are RIP-1 (UDP port 520) and -2. RIPv2 support manual summarization, authentication, and multicast update. DV prevent loops by 1) triggered update, 2) holddown timer, 3) route poisoning, 4) poison reverse, 5) innite metric, 6) split horizon. To create manual summarization, use ip summary-address. To disable auto-summarization, use no auto-summary An AS is assigned a number called ASN, by organizations like ARIN (responsible for IP addressing). router rip command enables RIP so that this router can receive updates, but these are ignored until network command is set. RIP timer can be set by (cong-router)#timers basic UPDATE_INTERVAL INVALID_TIMER HOLDDOWN_TIMER FLUSH_TIMER [SLEEP_TIMER] RIP can work with almost any routed protocol.
Link-state routing protocols

Link state routing protocols include OSPF and IS-IS. Routers using OSPF is identied by a Router ID (RID) in the entry of Link-state database (LSDB). RID has the same format as an IP address, which can be automatically selected, or manually set. RID can be congured by 1)use router-id + RID after router OSPF + P_ID. 2)If above step no used, any loopback (always up/up virtual interface) address [interface loopback + number, then ip address command] with the highest numeric IP address is used. 3)If above steps are not used, the router picks the highest IP address (out of all its up/up interfaces) RID is chosen when the IOS is initially loaded. New, better address WONT take over after OSPF is restarted by clear ip ospf process then reload the router. After OSPF RID has chosen and interfaces come up, this router become neighbors with other routers if they are connected to the SAME subnet. To discover OSPF neighbors, an OSPF send Hello packets out 224.0.0.5 and IP protocol type 89. LSAs are send out 224.0.0.6 To form a neighbor relationship, both routers must have these criteria match: - Subnet mask and subnet number (network address) - Hello (10 sec by default) and dead (= 4* Hello) interval; if dead timer is up, a router is marked down and converge. - OSPF area ID - Value of stub area ag - Authentication password (if there is one) When discovered other neighbors, the routers run SPF algorithm to ll their routing table. In the beginning, both Router A and B are Down. If router A receives Router Bs Hello message (with Router A not on the list of neighbors) and decide that Router B can be a neighbor (all criteria meet), Router A adds Router B to the list of OSPF neighbor (a eld in the Hello

message) [this is initialization]. As soon as Router B received the new Router A Hello message (that contain its RID on the list), Router B begin sending Hello messages with Router A on the list as well; this is two-way state for neighbors. Neighbors are kept track in a routers neighbor database; use show ip ospf neighbor command.

After both routers (in a link) recognize others, they began exchange their LSDB, which MUST be the same for routers forming neighbor relationship. The exchange of LSDB is done differently for different topologies; in CCNA, only PtP and broadcast are considered. The topology of the routers can be manually set with ip ospf network following the type. PtP topology refers to 2 routers that are directly connected (or the subnet has only 2 routers) to each other. In this case, LSDBs are DIRECTLY advertised and updated between the routers until they both become fully adjacent. On the other hand, if you were to exchange information for 10 routers on the same subnet, you would be overwhelmed with the load of the trafc. In this case (multiple routers on the same subnet), you need a Designated Router (DR) that act as the boss that distribute the information to ALL the employees; the employees are NOT allowed to talk to EACH OTHER. DR has a Backup called BDR. All other routers are known as DROther. When multiple routers exist, priority value of a router (usually) decide the DR and BDR. This value range from 0 to 255, with 0 never considered for election. - The router with the highest OSPF priority becomes DR, if priority ties, highest RID wins. - If a new, better candidate comes along, no challenge is presented to the old DR and BDR. - The router with second highest OSPF becomes BDR, if priority ties, second highest RID wins. After routers decide to exchange their LSDB, they send a list of LSAs to their neighbors asking if they already have the LSAs. If yes, no further exchange is needed. If no, this router send the missing LSAs to the neighbor. When a neighbor has all the LSAs, a neighbor is considered in a Full state. Hello messages are still send, but if a neighbor is down (detected by the dead interval), the routers converge and resend the necessary LSAs. Note that every LSA is ooded every 30 minutes, regardless of the state of the router. However, each LSA has its own ooding period, instead of sending all LSAs at once. LSAs ARE RECORDED IN ROUTERs LSDB, or OSPFs topology database; shown with show ip ospf database command. It contains a list of subnet numbers called links and lists of routers, in the subnet of the link (link LSA). Router LSA consist of the IP address and mask of a router. SPF algorithm can pick the route with the least cost and place it in the routing table with show ip route.

In large networks, OSPF can be a pain in the ass since so many routers need conguration. A viable solution is logically cut the network into smaller, logical divisions called areas. AreaBorder Routers (ABR) lies between areas and facilitate communication between routers by manually-summarize the routes (thus reduce the number of routes). ABR belongs to both areas and require more memory and CPU since it process routes about both areas.
Term Description

Autonomous System An OSPF router that connects to routers that do not use OSPF for the purpose Border Router (ASBR) of exchanging external routes into and out of the OSPF domain. Backbone router Internal router Backbone area External route Intra-area route Interarea route Autonomous system A router in one area, the backbone area. A router in a single nonbackbone area. A special OSPF area to which all other areas must connect. Area 0. A route learned from outside the OSPF domain and then advertised into the OSPF domain. A route to a subnet inside the same area as the router. A route to a subnet in an area of which the router is not a part. A set of routers that use OSPF; routers in the same network have same AS

To congure OSPF,
Step 1. Enter OSPF configuration mode for a particular OSPF process using the router ospf process-id global command. Process-ID can range from 1 to 65,535. Step 2. (Optional) Configure the OSPF router ID by: a. Configuring the router-id id-value router subcommand. b. Configuring an IP address on a loopback interface. Step 3. Configure one or more network ip-address wildcard-mask area area-id router subcommands, with any matched interfaces being added to the listed area. Step 4. (Optional) Change the interface Hello and Dead intervals using the ip ospf hello-interval time and ip ospf dead-interval time interface subcommands. Step 5. (Optional) Impact routing choices by tuning interface costs as follows: a. Configure costs directly using the ip ospf cost value interface subcommand. b. Change interface bandwidths using the bandwidth value interface subcommand. c. Change the numerator in the formula to calculate the cost based on the interface bandwidth, using the auto-cost reference-bandwidth value router subcommand. Step 6. (Optional) Configure OSPF authentication: a. On a per-interface basis using the ip ospf authentication interface subcommand. b. For all interfaces in an area using the area authentication router subcommand. Step 7. (Optional) Configure support for multiple equal-cost routes using the maximum-paths number router subcommand.

show ip ospf interface command list more detailed information about each interface.
Type Meaning Command to Enable Authentication What the Password Is Configured With 0 1 2 None MD5 ip ospf authentication null ip ospf authentication messagedigest ip ospf authentication-key key-value ip ospf message-digest-key key-number md5 key-value clear text ip ospf authentication

OSPF, by default, load-balance over 4 equal-cost paths; but it can support up to 16 routes by conguration. This is also true for EIGRP EIGRP Like OSPF, EIGRP also recognize other neighbors through Hello (update) messages with matching criteria. These messages are sent at 224.0.0.10 and both routers need to have 1) same ASN, 2) reside in the same subnet, 3) same K value, and 4) same authentication.

As soon as these criteria are checked, a router becomes the neighbor. Then, 2 neighbors can begin exchanging information. EIGRP has Hello interval and Hold Timer (= OSPF Dead interval) for Hello messages. EIGRP also have neighbor table (show ip eigrp neighbor), topology table (show ip eigrp topology), and routing table (show ip route). The neighbor table contain all the possible next-hop router without knowing anything else about the route (distance-vector). EIGRP Update messages are send when a router needs to convey topology information to multiple routers (in case of single router, unicast address is used instead). These messages are transported using Reliable Transport Protocol (RTP). Update messages can be Full or Partial updates, with full updates (containing the entire routing table) only send when a router rst comes up. Metric of EIGRP is (by default) based on bandwidth and delay (manually congurable with bandwidth and delay interface command) or can include load and reliability, although these are strongly discouraged for the sake of metric stability. RD, or AD is the distance from the next-hop router to the destination, while FD is the distance from this router to the destination. FD is the metric of successor route. Feasible successor route, on the other hand, MUST HAVE RD LESS THAN FD OF SUCCESSOR ROUTE. When the successor route fails, there are 2 options. If the router has feasible successor, it will be used. If no feasible successor is present, DUAL algorithm is ran to nd a new loop-free route to the destination and add it to the routing table. The algorithm simply test the current, viable routes to the destination (like a ping) using a query message and wait for a reply message. In essence, EIGRP support manual summarization at any router, support multiple routed protocols (IP, IPX, and AppleTalk); convergence takes less than 10 seconds (sometimes even faster). However, EIGRP is Cisco proprietary. To congure EIGRP, (in routing table, (FD/RD))
Step 1. Step 2. Step 3. Step 4. Step 5. Step 6. Enter EIGRP configuration mode, and define the EIGRP ASN (1-65,535) by using the router eigrp as-number global command. Configure one or more network ip-address [wildcard-mask] router subcommands. If no wildcard mask is used, the network is assumed classful. (Optional) Change the interface Hello and hold timers using the ip hello-interval eigrp asn time and ip hold-time eigrp asn time interface subcommands. (Optional) Impact metric calculations by tuning bandwidth and delay using the bandwidth value and delay value interface subcommands. (Optional) Configure EIGRP authentication. (Optional) Configure support for multiple equal-cost routes using the maximum-paths number and variance multiplier router subcommands.

DNS: hostname -> IP address. Web server is www.google.com, but FDQN is google.com. ARP: IP address -> MAC address RARP: MAC address -> IP address DHCP: 1) DHCP Discover (client, broadcast) 2) DHCP offer (server)

3) DHCP request (client)

4) DHCP acknowledgement(server)

This is the structure of L3 header:

- Version: 4 for IPv4 and 6 for IPv6 - Header Length: length of IP packet in 32 bit word. Value must be >= 5 - DS eld for ToS - Identication: fragment of one datagram from another. Identication for trafc ow - Flags: whether fragmentation can occur - Fragment offset: direct reassembly of fragmented datagram - Protocol: L4 protocol to use - Options: specify multiple IP options such as copying, testing and security
ACL: CCNA tests router ACL

There are 4 types of special ACL: - Reexive ACL, or IP session ltering, permit access based on established session to individual hosts. - Dynamic ACL, or Lock-and-key Security, direct user to telnet to a router that requires authentication, thus, block unauthorized personnel. - Time-based ACL, permit or deny access based on time of the day (used with NTP server). - Named ACL identify ACL entry by its sequence number, alter ACL. You can manually add sequence number, or router will automatically add for you (start from 0 and increment by 10). You can delete an entry based on no followed by sequence number. Tips for conguring ACL: 1) Put standard ACL as close to the destination as possible 2) Put extended ACL as close to the source as possible 3) Create ACL in text editor, then copy to terminal 4) Disable ACl before making changes by no ip access-group or no ip access-class (VTY) 5) More specic entry should be listed at the beginning of ACL.

Layer 2 and 3 ACL can be congured on the switch. To congure a Layer 2 ACL using MAC address, use mac access-list extended NAME -> mac access-group NAME {in | out} -> show mac access-group ACL doesnt apply to outbound trafc generated by the router itself. IPv6 Features of IPv6 include: - Address assignment feature: IPv6 addresses are grouped by geographic region. Inside each region, the address space is further subdivided by ISP and then further divided for customer. - Aggregation: since addresses are distributed in groups, they can use CIDR to decrease the size of the routing table. IPv6 addresses are made up of prex + host; there is no classful addressing in IPv6. - No need for NAT/PAT - IPsec is required for IPv6, making VPN an easier access - Header improvement - Transition tools If the prex (CIDR) is a multiple of 16, then the IP address can be presented as ::. E.g 2000:1234:5678:9ABC:1234:5678:9ABC:1111/64 => 2000:1234:5678:9ABC:0000:0000:0000:0000/64 => 2000:1234:5678:9ABC::/64 However, if the prex is not a multiple of 16, the octet will not be full, so the network address can only be displayed as 0. E.g 2000:1234:5678:9A00::/56 2000::/3 or 3000::3 are reserved for global unicast prex. In IPv6, interface ID is the equivalent of host ID in IPv4. IPv6 has no zero or broadcast subnet. There are many types of prexes, there is registry prex that organization like ICANN assigned to RIR. ISP prex to represent the aggregation of all of ISPs address assigned by from RIR to ISP. Site prex is the IP address and CIDR that a company can use (assigned from ISP). A subnet prex is a longer prex (made by the network engineer) to increase the number of subnets available from a given site prex. IPv6 uses DHCPv6, which basically the same as DHCP, with DHCPv6 servers operate in stateful (track IP address) or stateless (dont track IP address) modes. DHCPv6 also differs in that it send multicast (FF02::1:2) instead of broadcasts. IPv6 assign host address using MAC address by cutting it in half and insert FFFE. E.g if 0034:5678:9ABC is the MAC address, 0234:56FF:FE78:9ABC is the IPv6 address. To congure IP address statically on a router using the above method, you need ipv6 address FIRST_64BIT_IPV6_ADDRESS/64 eui-64 command. Else, you can use ipv6 address command followed by the complete 128 bit address. These are ways to used IPv6 stateful addr. Stateless autoconguration used IPv6 NDP (Neighbor Discovery Protocol) to discover the subnet prex, then calculate that MAC address without the need of a DHCP server. NDP replaces IPv4 ARP by combining many functions into this suite. NDP includes router solicitation (RS at FF02::2), which ask to identify default router, its IPv6 address, and the prex used for this subent; multiple replies are allowed. Router advertisement

(RA at FF02::1), on the other hand, is reply send back (of the above question) from the router. Then a stateless DHCP server can be used to provide DNS server information.
Static or Dynamic Static Static Dynamic Dynamic Option Do not use EUI-64 Use EUI-64 Stateful DHCPv6 Stateless autoconfiguration Portion Configured or Learned Entire 128-bit address Just the /64 prefix Entire 128-bit address Just the /64 prefix

IPv6 anycast is a design choice by which servers that support the same function can use the same unicast IP address, with packets sent by clients being forwarded to the nearest server, allowing load balancing across different servers. Unicast IPv6 addresses can be - unique local (IPv4 private address, begin with FD00::/8) - link local start with FE80, FE90, FEA0, or FEB0::/10. This address is used for packets that do not leave the local subnet, such as sending and receiving NDP packets. Routers also use this address as next-hop address; these addresses are calculated automatically. Multicast IPv6 address begin with FF02::/16 :: is a special address which represents the unknown address. Hosts can use this when sending packets in an effort to discover their IP address. IPv6 requires new routing protocols, which are RIPng, OSPFv3, MP-BGP4, and EIGRP for IPv6. These protocols still retain much of the same operational feature, but different approach. E.g routing updates are send with link local address, different multicast address. To conf RIPng,
Step 1. Step 2. Step 3. Step 4. Enable IPv6 routing with the ipv6 unicast-routing global command. Enable the chosen routing protocol. For example, for RIPng, use the ipv6 router rip process-name global configuration command. Configure an IPv6 unicast address on each interface using the ipv6 address address/ prefix-length [eui-64] interface command. Enable the routing protocol on the interface, for example, with the ipv6 rip name enable interface subcommand (where the name is ipv6 router rip name).

Conrm routing with show ipv6 route, show ipv6 interface brief, etc. You can also enable DNS server and IP host on IPv6 just using the command implemented by IPv4. Dual stack refer to hosts or routers that use both IPv4 and IPv6, so both can forward and receive IPv4 and IPv6 packets; BOTH protocols must be supported on the host/router. IPv6 tunnel is a method of encapsulating IPv6 packet inside IPv4 header, just like a VPN header. The rst 3 methods are for routers, whereas the last one is for host. Manually congured tunnels (MCT): tunnel (virtual router, like loopback) interfaces are created, with the conguration to translate between IPv4 addresses used in the IPv4 header. Dynamic 6to4 tunnels: IPv4 addresses are found based on the destination IPv6 address. Intra-site Automatic Tunnel Addressing Protocol (ISATAP): typically used inside an enterprise, ISATAP tunnels do not work if IPv4 NAT is used between the tunnel endpoints. Teredo tunneling: This method allows dual-stack hosts to create a tunnel to another host, with the host creating IPv6 packet then encapsulate it inside an IPv4 header.

Another method, called NAT-PT, can be use to translate between IPv4 and IPv6 addresses. RIPng conguration looks like ipv6 router rip RIPng ipv6 unicast-routing enables IPv6 Layers summary Let's start with your example, (of one router, 2 switches, and 2 PCs). 1. PC1 want to send PC2 some data, so the data moves from Layer 7, where data was generated, down to Layer 4. Now segmentation occurs, and L4 header is placed in front of the data. This is a segment. 2. The data continues its way down and come to L3, where destination IP address (IP address of PC2) and source IP address (IP address of PC1) is put inside the L3 header, which wraps around L4 Header + data. This is packet. 3. When data reaches L2, source MAC address (PC1's MAC address) and destination MAC address (Router's MAC address) is placed in the data link header. Note that layer 2 has a FCS trailer. This is a frame. 4. The frame is translated (from human language) to bits (computer language, 0 and 1) and send out on the physical media toward the switch. Theoretically, the frame = (L2 header (L3 header (L4 header (data) ) ) L2 trailer) Sw1 receives the bits, translated back to the frame and read the L2 header. After reading it, Sw1 now knows this frame is destined for the router and forward the frame to the interface that is connected to the router. L2 header remains intact and the frame is again translated into bits and send out to the router. Router now receives the bits, turn it into a frame. Router now knows the frame is for itself, and discard the frame. This is like you received a letter for you, and you open it to see the content. After L2 header and trailer are discarded, what is left is L3 header, which contains the destination IP address. After reading the destination IP address and know that the packet isn't for the router, the router then made a decision to forward the packet. Following the previous analogy, you have received a letter for you, but it's titled to your best friend; of course you would want to give it to her. This is what routers do, they receive things never intended for them, and forward the things to where they are supposed to be. It's a little pathetic if you think about it. Okay, now the router has made a decision where to send this packet, again, it wraps it up into a frame, which now has source MAC address of the router and the destination MAC address of PC2 (remember that MAC addresses are obtain using ARP). The frame turns into bits and send to Sw2. Sw2 receives the frame, read L2 header and matches the destination MAC address to an entry in its CAM table (equivalent to routing tables for routers). Once an entry has been found, the frame is forwarded out on corresponding interface. PC2 now receives the frame, decapsulate it 3 times (bits -> frame -> packet -> segment) until it becomes data only and can be read by PC2's application programs.

 In summary, from PC1 to router: S MAC = PC1's MAC, D MAC = router's MAC, S IP = PC1's IP, D IP = PC2's IP. From router to PC 2: S MAC = router's MAC, D MAC = PC2's MAC, S IP = PC1's IP, D IP = PC2's IP CCNA Layer 4 A socket is used by Layer 4 protocol to identify a current running application so you can run multiple applications at the same time. A socket consist of destination (D) and source (S) IP address, transport protocol used (TCP or UDP), and D & S port number. A socket identies an unique connection. Note: for a connection between server and client, server ALWAYS use a port from well-known range, while client ALWAYS use a port from dynamic port range. For instance, your PC is trying to contact a web server, it will have a socket that looks like 192.168.1.0:30245, while the replying web server has a socket of 20.14.243.15:80. TCP connection must take place before data start to transmit; since D&S IP, D&S MAC, and transport protocols are known, all that is transferred during the process is the pore number used for this connection. TCP connection is a 3 way step: 1) SYN (sender), 2) SYN, ACK (recipient), 3) ACK (sender) TCP termination is a 4 way step: 1) ACK, FIN, SEQ (sender), 2) ACK (recipient), 3) ACK, FIN, SEQ (recipient), 4) ACK (sender). Sequence number, acknowledgement eld, and window size, are utilized for the data transfer process. Sequence number is used to identify fragments of data so corrupted or error segments can be resend. Forward acknowledgement is a feature of TCP (like sequence number) that provide error recovery. After every while (determined by window size), a segment is send from the recipient to the sender device asking the next sequence number it expects; this way, delivery of previous data is acknowledged. When the forward acknowledgment is sent, a retransmission timer starts to count down. When the timer reaches 0, and no reply is heard from the sender (the next segment), the forward acknowledgement is resend to ensure guaranteed delivery. Note that if the reply from recipient arrives before all the data have forwarded out, the device can continue sending. Window eld is a number, in bytes, of how much data can be send until the next acknowledgement is heard. This number usually grows (the recipient trusts the sender to send good segments) until an error occur. For example, if this acknowledgment has a window size of 5000, the sender transmit 5000 bytes of data and then wait until the next forward acknowledgment came to continue sending data.

QoS is the need of network service for each application software; it is a L7 protocol
Type of Application VoIP Two-way video over IP (such as videoconferencing) One-way video over IP (such as security cameras) Interactive mission-critical data (web-based payroll) Interactive business data (such as online chat) File transfer (such as backing up disk drives) Nonbusiness (such as checking the latest sports scores) Bandwidth Low Medium/high Medium Medium Low/medium High Medium Delay Low Low Medium Medium Medium High High Jitter Low Low Medium High High High High Loss Low Low Low High High High High

TCP function: 1) multiplex with port number, 2) error recovery, 3) ow control with window size, 4) connection establishment and termination, 5) ordered data transfer and segmentation. CCNA WAN Dedicated lines use synchronous serial; e.g PtP Circuit-switched uses asynchronous serial; e.g ISDN Packet-switches uses synchronous serial; e.g Frame Relay Leased line PtP leased line = PtP link = link = circuit = leased circuit = leased line = serial link = serial line For PtP link, you need a CSU/DSU in addition to a router. On routers, the connector can be Smart Serial or DB-60, while on CSU/DSU, it can be V.35, X.21 or EIA/TIA-232, 449, or 530. The connection between CSU/DSU and telco uses RJ-48 connector at CSU/DSU and 4-wire circuit. If the router has a built-in CSU/DSU, you just connect the 4-wire circuit from telco to RJ-48 port on router. CSU/DSU is called DCE, or clock source, as clock rate command (in bps) is used to specify clock rate, otherwise known as bandwidth, or link speed. This process tells router when to send and when to not send data and happens many times a second.

Leased line come in multiple of 64 Kbps (DS0). T1 (DS1) = 24 * DS0 + 8 Kbps = 1.544 Mbps; E1 = 2.048 Mbps. Leased line, like Ethernet, is baseband, and use Time-Division Multiplex (TDM). In PtP WAN, either PPP or HDLC is used as Layer 2 encapsulation. There are 2 versions of HDLC, one is industrial standard and one is Cisco proprietary:

Cisco version has an additional Type eld, which is used to identify Layer 3 protocols carried. When building a leased line between 2 routers in a lab, use a DTE cable and DCE cable for each router. The router with DCE cable is the clock source, and the cable join at their ends, called DCE and DTE connectors, separately. DCE connector is female while DTE connector is male. Other than synchronous link, PPP also supports asynchronous link, and its protocol eld denes L3 protocols carried; support IPv4 and IPv6. PPP denes 2 types of link control messages: - PPP link control protocol (LCP) implement the functions used regardless of the L3 protocol. If completed successfully, show interfaces will display LCP Open - PPP control protocol (CP) implement functions specic to the L3 protocols used. If successful, Open:CDPCP, IPCP etc will show in show interfaces
Function Looped link detection LCP Feature Magic number Description Detects if the link is looped (sending data to itself), and disables the interface. Each router has different magic number, if a router receives the same magic number (included in LCP messages), the route is looped and convergence began.

Error detection

Link Quality Examine FCS trailer; monitor error rate with LQM. If exceed max Monitoring (LQM) error rate, bring down link. Only useful in case of multiple links. Equal load-balance traffic over multiple parallel links. PAP (clear text) Exchanges credentials (username and password) to verify and CHAP (MD5) identity.

Multilink support Multilink PPP Authentication

Credentials on CHAP can be congured locally or on AAA server, to congure credential locally: - Congure router hostname, then an account with (cong)#username N password P, whereas the username is the OTHER routers hostname. - Enable CHAP on the interface connected using (cong-if)#ppp authentication chap PAP conguration is exactly like CHAP. You can congure multiple methods with chap pap or vv. Packet switch WAN Circuit-switching Implement at OSI Layer Topology Frame Relay Use DLCI (header eld) to identify a network L2 encapsulation (header, no trailer) is LAPF Routers connect to telco (without CSU/DSU) using a single access link, which is composed of virtual circuit for actual data transfer. Speed of access link is called access rate and speed of VC is CIR. Speed of all VC cant exceed access rate Frame-switched One physical link, many logical links Physical Point-to-Point (leased line) ATM Use VPI and VCI (header eld) to identify L2 encapsulation (header, no trailer) is SONET Routers connect to telco (without CSU/DSU) using a single access link, which is composed of virtual circuit for actual data transfer. Speed of access link is called access rate and speed of VC is CIR. Speed of all VC cant exceed access rate Cell-switched; cell = 48 b data+ 5 b header Faster than Frame Relay Packet-Switching Data Link Multipoint (frame relay, ATM)

Frame relay is non-broadcast multiaccess(NBMA) because it allow multiple routers in a WAN without broadcast. PVCs from one site has a PtP connection with PVC at another site. Frame relay doesnt allow you to ping IP address of local router. In this WAN, DTE is your router while DCE is Frame Relay switch controlled by telco; these communicate with each other by LMI. There are Cisco (cisco), ITU (q933a), and ANSI (ansi); all are incompatible with each other (frame-relay lmi-type, disable autosense). LMI does: They perform a keepalive function between the DTE and DCE. If the access link has a problem, the absence of keepalive messages implies that the link is down. They signal whether a PVC is active or inactive. Even though each PVC is predened, its status can change. An access link might be up, but one or more VCs could be down. The router needs to know which VCs are up and which are down. It learns that information from the switch using LMI status messages. LAPF does not have Protocol Type eld, which is complimented by Ciscos segment header (2-byte) between LAPF header and L3 packet (cisco); there is also RFC 1490 header, incompatible with Ciscos (ietf). Both DTEs must agree on the encapsulation used. Data-link connection identier (DLCI) is frame relay L2 address; there is local and global DLCI. Frame Relay has only one address eld in its header, and for local DLCI, that eld will the DLCI of the VC that a frame from this device will exit. For global DLCI, the opposite perspective is taken by swapping the local DLCI and think of it as the destination DLCI; this is just for better understanding.

To differentiate: if 2 VCs terminate at the same DTE and a single DLCI is shown, its global. Know that (in local DLCI perspective), when a frame relay frame is send with the local DLCI, the recipient router gets the frame with its VCs local DLCI on it. This is handled by the frame relay switch (DCE) in telco. Frame relay can have different L3 address than other WAN. There are 2 options, using one subnet for all Frame Relay DTEs (usually implemented for full-mesh topology), or use a subnet for a single VC (usually used on partial-mesh topology). Routers can support multiple address on a single link by using sub-interfaces, which can be point-to-point (using one DLCI), or use multipoint (2 or more DLCI). In frame relay, routers also need to send updates to other routers, specically, a broadcast. However, this is not possible since frame relay is NBMA. There are 2 solutions, you can congure every router to send a copy of the packet out on each of the VC. Impact of the bandwidth usage can be limited by limit the usage. Frame relay frames have a three single-bit ag that can be used to control the frame relay process, these are FECN, BECN, and DE bit ags. Trafc shaping allow the router to control the amount of trafc send, thus, making sure that it is not too much, or too little. You can set Trafc Shaping to use a single speed, or adapt to range between 2 speed settings. For example, if the path from R1 to R2 is having congestion, frame relay switch detects it and set FECN bit to ON (1), when R2 receives it, it replies a message with BECN bit ON. So R1 now know that the opposite path from which this frame is received (the path going to R2) is congested and slow down depending on the Trafc Shaping applied. DE bit, on the other hand, is set on trafc that use the extra bandwidth of the access link; this trafc may be discarded during times of high load. Clients and select which trafc get the DE bit ON (available to be discarded), so important trafc are not lost during transition. By default, Cisco IOS automatically senses the LMI type and automatically discovers the mapping between DLCI and next-hop IP addresses (using Inverse ARP); the frame-relay type is Cisco on cisco routers (there are 2 types of frame-relay, Cisco and IETF). A PVC is inactive is because the neighbor is not receiving LMI. Cable and DSL Cable modem and DSL modem are also WAN access methods that are more commonly used as Internet-access method. Modems are connected with routers using straight-through cable, and modems are commonly placed between the router and the Internet (some devices act both as a router and a modem); these are called SOHO router. These routers act as DHCP server on the LAN interface and DHCP client on the interface connected to ISP. DSL modem Always-on; connected to DSLAM (telco) Allow phone and Internet at the same time; Use free frequency of analog band Cable modem Always-on; connected to CATV cabling; symmetric Allow phone and Internet at the same time; Use free frequency of TV band

Feature Authentication Encryption Anti-replay

Supported by ESP? Supported by AH? Yes (weak) Yes Yes Yes (strong) Yes No No

Message integrity Yes

DSL modem

Cable modem

Varying speed depends on 1) local loop 2 - 5 times faster than DSL; throughput quality, 2) type of DSLAM, 3) type of DSL, and degrades under higher loads 4) distance from CO [DSL dont operate at more than 5 KM from CO] Acronym Name Type
ADSL Asymmetric DSL Asymmetric

CDSL
Consumer DSL Asymmetric

VDSL
Very-highdata-rate DSL Asymmetric

SDSL
Symmetric DSL Symmetric

HDSL
High-datarate DSL Symmetric

IDSL
ISDN DSL Symmetric

Public Switched Telephone Network(PSTN) refers to the equipment and devices between any 2 phones; some people take advantage of this network to create WAN technology. Any phone an ISP establish has a special electrical circuit, made of 2-wires, called local loop, between the phone and telcos CO. Sound waves are converted to analog signals to transfer through the local loop to computers called voice switches. These switches connect and transfer digital signal between them with the help of PCM. Analog modem take advantage of current PSTN and send data through circuit by converting digital signals made by the computer to analog signal transferred by phone. Modulation/ demodulation refers to the process by which modem change the analog signal. However, you cant call and send data at the same time. Analog modem is asynchronous and circuit switched. VPN Tunnel generically refer to a packet sent by a protocol that is encapsulated in another packet. In VPN, a tunnel is create between (authenticated) ends and all packets transferred are encrypted (entire packet) then encapsulated in a VPN header and another L3 header.
Type Intranet Typical Purpose Connects all the computers at two sites of the same organization, typically using one VPN device at each site

Extranet Connects computer from one network into another network.

Access

Connects individual Internet users to the enterprise network

To build VPN, a hardware/software that understands VPN protocols MUST be used: - Routers with special add-on cards can provide VPN functions - ASA is a Cisco device that provide many security functions, including VPN. - PIX rewall is an older Cisco product that acts like a rewall and can perform VPN function - VPN concentrators are old Cisco devices that solely function for VPN. - VPN client is a software residing on PC or perform access VPN.

VPN implements protocols dened by the IPsec framework in 1) Encryption, hide data so hacker cant steal them; uses a public and private key. These encryption key is also known as session key, shared key, or shared session key. The encryption is dynamic, meaning a different packet uses a different key. There are DES (56 bits), 3DES (56 * 3), and AES (128 or 256). 2) Key exchange is the process in which the session keys are exchanged. The earliest way was PSK, or manually enter the key individually. IPsec uses IKE, which in turn, is based on DH. There are DH-1 (768 bits), DH-2 (1024 bits) and DH-5 (1536 bits). DH key size is proportional to the length of session key. 3) Message integrity and authentication check whether a packet has been tampered. In IPsec, its performed by Authentication Header (AH). Protocols used include HMAC-MD5 (integrity), HMAC-SHA (integrity), PSK (authentication), and RSA signature (authentication). Note that if VPN is using ESP as encryption protocol, there is no need for these protocols. VPN uses one of 2 protocols to dene a header, ESP or AH. Cisco provide Easy VPN to dynamically congure VPN on multiple sites. SSL can also be used to provide VPN access through the web browser; this is web VPN. Web VPN typically allow only web trafc and secure VPN connection by using SSL between end user and a special Web VPN server (which can be implemented by ASA). To use web VPN, Internet-based user opens a web browser and connect to a Web VPN server. The server then offers a list of options (services) to the client. The drawback is that only web browsers are permitted, if you want to use an application that cant be access using a browser, you can either switch back IPsec or use a software called thin client (that connect to VPN and act as if the computer is there). SDM Unencapsulated routing means an ordinary frame is sent out router interface; PPPoE is encapsulated routing. If a router is DHCP-client on the interface connected to ISP, you need to do show dhcp server to obtain DNS server for use with your inside network. When conguring NAT, interfaces with assigned IP address are possible candidates for inside interface. When nished conguring a wizard, the changes are made to running-cong, only pressing Save button will the changes be written on startup-cong. SDM only occur in web browsers.

CCNA Security DoS (destroy): smurf attacks (no ip directed-broadcast), DDoS, TCP SYN Reconnaissance (intelligence): port scanner, packet sniffers, ping sweeps, information queries (such as DNS, CDP, ping, etc). Access (steal data): password attack, man-in-the-middle attack, port redirection, trust exploitation Cisco ASA provide or assist in the overall in-depth design. Anti-x is a term used to provide preventive measures to attacks. Other measures include AAA, ACL, [encryption (SSH, SSL, IPsec)], [Cisco (syslog, SSH, SNMP, and NTP)], IPS, IDS, rewall.

WLAN security risk and solution: War driver strong authentication Hacker strong authentication + strong encryption Rogue AP IDS/IPS/SWAN WLAN used WEP, WPA, or WPA2 encryption methods. WEP has static PSK used with SSID clocking and MAC ltering. Cisco enhancement include dynamic PSK + 802.1x authentication + encryption key for each packet. WPA = dynamic PSK + MIC algorithm + 802.1x authentication IEEE 802.11i, WPA2 = AES + 802.1x authentication CCNA Troubleshooting EMI cause CRC error in show interfaces to increase Jabber will increase collision counters Duplex mismatch will increase runts, collision counters, and late collisions. Late collisions are collisions after the rst 64 bytes of data, these collisions are dealt with at upper layer. Other causes include exceeding cable length. ICMP controls IP as it sits inside an IP packets with no transport layer header. ICMP Echo Request is the ICMP message sent out when you ping someone, ICMP Echo Reply is the message you get.
Message Destination Unreachable Time Exceeded Redirect Description Tells the source host that there is a problem delivering a packet. Contain 5 reasons in the next table. Message shown when TTL becomes 0; TTL - 1 for every router it passes. When multiple routers exist in a network and a PC send ICMP message to Router1, which believes Router2 is closer to the destination will return Redirect ICMP message for the message to be sent to Router2. Used by the ping command to verify connectivity. Device

Echo Request, Echo Reply Unreachable Code

When It Is Used

Network unreachable There is no match in a routing table for the packets destination. Router Host unreachable Cant fragment The packet can be routed to a router connected to the destination subnet, but the host is not responding. The packet has to be fragmented as destination cant handle such packets. However, the Dont Fragment bit is set, which means the router can not fragment the packet. Router Router

Protocol unreachable The packet is delivered to the destination host, but the Host transport layer protocol (TCP, UDP) is not available on that host. Port unreachable ping Code ! . U N M ? Symptom The packet is delivered to the destination host, but the destination port has not been opened by an application. Description ICMP Echo Reply received Nothing was received before the ping command timed out ICMP unreachable (destination) received ICMP unreachable (network/subnet) received ICMP Cant Fragment message received Unknown packet received Common Root Cause Host

The host can send packets to hosts in the The host does not have a default gateway configured, or same subnet, but not to other subnets. the default gateway IP address is incorrect. Default gateway in different subnet Some hosts in a subnet can communicate with hosts in other subnets, but others cannot. This may be caused by different mask used for router and host. This may result in the routers connected route not including some of the hosts on the LAN.

Some hosts on the same VLAN can send The hosts may not be using the same mask. packets to each other, but others cannot.

Troubleshoot ACL: Determine which interfaces are applied and in which direction (show run, sh ip interfaces) Determine what ACL entries are (show access-lists, show ip access-lists) Analyze ACL by: ACL uses rst match logical and wildcard Note the keywords, ip, tcp, udp, and icmp. Use explicit deny any any instead of implicit deny Troubleshoot connectivity between host and router: ping the host from router, or router from host. If fail, ensure router interface is up/up using show interfaces or show interfaces status Ensure host and router (interface connected to host) is in the same subnet If VLAN trunking is involved, troubleshoot this. If above steps are done, and still cant ping from host to router and vice versa, check L1 and L2. If previous ping is successful, verify functionality of router by ping the host from another interface or vice versa. After verifying connectivity between host and router, you should also check connectivity between routers. 1)traceroute from R1 to R2, if successful but problem still persist, check ACL. If failed,

2)If traceroute failed, test forward route by telnet to the last traced router and check the routing table for route to destination network. - If not found, investigate routing protocol and static route - If not found but default route exit, conrm the router is classless by ip classless command - If found, check if the route is placed in the correct direction - If found, ping the next hop router or the device itself (if its the last router). If failed, check L2 and ACL. If successful but problem still persist, check ACL 3)If forward route successful, test backward route by repeat the steps for forward route. Traceroute works by by sending incremental TTL messages to routers along the path to destination. The rst message has TTL of 1, when it reaches the 1st router, TTL becomes 0 and Time Exceeded error is sent back, along with the IP address of the router. The second message has TTL of 2, when it reaches 2nd router, TTL - 1 - 1 = 0 and Time Exceeded error is sent back, along with the IP address of the router. The process repeats until the destination is reached. If we have a network of 2 routers and 2 PCs, with R1 connect to PC1 at E 0/0, and to R2 at S 0/1/0. R2 connect to PC2 at E 0/0. A traceroute from PC2 to PC1 will show 1) IP address of R2s E 0/0, 2) IP address of R1s S 0/1/0, 3) IP address of PC1. To troubleshoot routing protocols:
Step 1. Step 2. Step 3. Examine the internetwork design to determine on which interfaces the routing protocol should be enabled and which routers are expected to become neighbors. Verify whether the routing protocol is enabled on each interface (as per Step 1). If it isnt, determine the root cause and fix the problem. Verify that each router has formed all expected neighbor relationships. If it hasnt, find the root cause and fix the problem.

To troubleshoot Layer 2:
Step 1. Step 2. Step 3. Confirm the switch names, topology (including which interfaces connect which switches), and switch VTP modes. Identify sets of two neighboring switches that should be either VTP clients or servers whose VLAN databases differ with the show vlan command. On each pair of two neighboring switches whose databases differ, verify the following: a. At least one operational trunk should exist between the two switches (use the show interfaces trunk, show interfaces switchport, or show cdp neighbors command). b. The switches must have the same (case-sensitive) VTP domain name (show vtp status). c. If configured, the switches must have the same (case-sensitive) VTP password (show vtp password). d. While VTP pruning should be enabled or disabled on all servers in the same domain, having two servers configured with opposite pruning settings does not prevent the synchronization process. Step 4. For each pair of switches identified in Step 3, solve the problem by either troubleshooting the trunking problem or reconfiguring a switch to correctly match the domain name or password.

3 general steps of troubleshooting: 1)analyze normal operation and compare for signs of symptoms. Data plane is any action taken by networking devices to forward data. Control plane is the overhead process that data dont need for forwarding. 2)Isolate problem by examining all layers and compare normal operation

3)Root cause analysis: continue to isolate problem until youve reached a conclusion.
Line Status Protocol Status down Interface Status disabled notconnect Typical Root Cause Interface is configured with the shutdown command. No cable; bad cable; wrong cable pinouts; speeds mismatched on the two connected devices; device on the other end of the cable is either powered off or the other interface is shut down. Not expected on LAN switch interfaces. Port security has disabled the interface. Interface is working.

admin. down down down

up down up

down down (errdisabled) up

notconnect err-disabled connect

4 steps in troubleshooting: Conrm network (diagram) using CDP. This uses show cdp neighbors, show cdp neighbors detail, or show cdp entry {neighbor-name|*}. Port ID refers to the port on which the connection is established on the connected device, not local device. Isolate interface problems by checking - If interface state is up/up using show interfaces, show interfaces description, or show interfaces status. The latter command tells you whether link is established by auto-negotiation; a-full means a full-duplex autonegotiation. In Cisco switches, if you manually congure to use a speed on a certain port and the connected device cant operate in that speed, the port will be in a down/down, or notconnect state. However, for switches that do not have speed command, possible speed are obtained from the end device and the interface will try to operate in that speed; this speed will have a- in front of it; e.g a-100 means an auto-negotiation of 100 Mbps. IEEE 802.3x denes autonegotiation. - Duplex mismatch by checking show interfaces, or show interfaces status. Note: if the duplex of a port does not match that of the connected device, the link will still operate. Watch for these counters (runts, collisions, and late collisions in show interfaces), if they increase abnormally. Default for ports with 10/100 Mbps is half-duplex, while 1 Gbps is full-duplex. Port security: To identify interfaces using port security, use show running-cong or show portsecurity {interface int-name}. In this output, the last source MAC address is shown to provide a clue to what device caused the shutdown. You can congure a port to shutdown, increment violation counter, or do nothing with switchport port-security violation {shutdown|restrict| protect}, respectively. Since a violation of protect does not increment violation counter, and the port state is also up/up, DO NOT tempt to think the conguration is ne
Violation Mode Discards Discards All Offending Traffic Traffic After Violation Occurs Yes Yes Yes Yes No No Violation Results Increment in err-disabled Counter for Each Interface State New Violation Yes No No Yes Yes No

shutdown restrict protect

1) Isolate VLAN and trunking problem: check a) all access interfaces and VLANs, b) existing VLAN, c) identify the trunking port on each interface. These information can be found with To troubleshoot WAN problems:
Line Status Administratively down Protocol Status Down Likely Reason/Layer Interface is shut down

Down

Down

L1: - leased line is down (telco) - line from telco is not plugged into CSU/DSU - CSU/DSU failed or misconfigured - Serial cable from router to CSU/DSU is faulty Layer 2 Layer 3; check if IP address are on the same subnet; ping work in PPP (use host route of prefix /32) not HDLC Likely Reason Mismatched encapsulation commands

Up Up Line Status Up

Down Up Protocol Status

Down (stable) on both ends, OR Down (stable) on one end, flapping between up and down on the other Down on one end (keepalive set), up on the other (no keepalive set) Down (stable) on both ends

Up Up

Keepalive is disabled on the end in an up state; use keepalive interface command PAP/CHAP authentication failure; use debug HDLC No No PPP Yes No

Symptoms When IP Addresses on a Serial Link Are in Different Subnets Does a ping of the other routers serial IP address work? Can routing protocols exchange routes over the link?